Federal Times Blogs
The Defense Information Systems Agency is one step closer to standing up cloud broker services for the Defense Department.
As DoD’s cloud broker, DISA will manage the use, performance and delivery of cloud services and negotiate contracts between cloud service providers and DoD consumers.
DISA announced Tuesday that it has developed a process for gathering and assessing DoD’s cloud computing requirements, evaluating vendors’ cloud offerings against contract requirements and has created a catalog for cloud services. In a June 2012 memo, DoD Chief Information Officer Teri Takai said all DoD components must acquire government or industry-provided cloud services using DISA, or obtain a waiver.
DISA will manage cloud services categorized as low or moderate in terms of potential impact on DoD operations in the event of a disaster or cyberattack. The agency will also ensure that cloud offerings comply with the department’s information assurance and cybersecurity policies.
DISA is using Federal Risk and Authorization Management Program (FedRAMP) standards to vet cloud providers. The security program provides baseline standards to approve cloud services and products for governmentwide use.
By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements.
So, far, CGI Federal and North Carolina-based Autonomic Resources are the only companies that have completed the FedRAMP security reviews. The companies will be the first FedRAMP-approved vendors to host DoD’s public data inside commercial data centers.
DoD approval of these companies to provide commercial cloud services is imminent, according to DISA. Both companies have already seen big business among civilian agencies and have spots on the General Services Administration’s cloud computing contract.
GSA is deciding whether to stand up similar cloud broker services for civilian agencies, which could entail private companies serving as brokers.
Agencies were directed last fall to cut a combined $7.7 billion from their information technology budgets in 2014 and propose ways to redirect those funds for priority projects.
Duplicative investments, failing projects, help desks and contracts for email, desktops and mobile devices are among the areas targeted for cuts, according to budget guidance released by the Office of Management and Budget in August.
Details of the proposed cuts were included in agencies’ budget submission documents and were incorporated into the president’s budget, which is due out Wednesday.
For each agency, cuts will amount to 10 percent of their average annual IT spending from 2010 to 2012. The combined cuts would reduce agencies’ IT budgets from $74.1 billion – the figure in the president’s 2013 budget plan – to $66.4 billion for 2014.
Hardest hit will be the Defense Department, which will see a $3.5 billion reduction; followed by the Health and Human Services Department, $662 million; and the Department of Homeland Security, $587 million.
Agencies must propose to OMB how they would reinvest at least 5 percent of that money in priority areas that align with administration initiatives such as:
* Cloud First, which requires agencies to use cloud computing technologies when a reliable and cost-effective solution exists.
* Shared First, an effort to share common IT services within agencies and ultimately across agencies.
* The Digital Government Strategy, aimed at providing better online services to citizens and making government data available in standard, digital formats.
Agencies must propose reinvestment projects that will show a return on investment within 18 months, according to OMB’s guidance. OMB will then decide whether to approve those plans. Projects can include:
* Improved citizen services or administrative efficiencies.
* Shared services.
* IT consolidation, including data center consolidation.
* Improved IT security and information assets.
* Improved energy efficiency of IT facilities and equipment.
* Innovative investments such as cloud computing, modular development, improper-payment reduction and digital government.
* Data analytics or data management consistent with administration priorities.
Chief information officers are also contending with across-the-board cuts, which took effect last month and total $85 billion governmentwide.
“Cuts like this require hard choices,” said Roger Baker, former CIO at the Veterans Affairs Department. If a program is facing a 9 percent cut, agencies have to decide what they can and cannot get done.
Baker, who now serves as chief strategy officer for Virginia-based Agilex Technologies, suggested CIOs prioritize what they can get done with their remaining funding, rather than trying to fund everything with a reduced budget.
At VA, there is a prioritized unfunded list for key projects that are next in line for funding, Baker said. A departmentwide team agrees on projects and submits those recommendations to an IT leadership board. The project list is then approved by the deputy secretary.
The issue for most agencies is they can’t move funding across different projects, he said.
Whether OMB will allow agencies to reinvest some or all of their savings is unclear, but Baker said software license spending is one area ripe for savings.
Agencies are better prepared to negotiate pricing when they know what software licenses they are using and how many. Over the past five years, VA has saved about $200 million on software licenses by purchasing only what is needed.
“Typically, what happens is in the year you make the optimization you get to keep the dollars, but there is no guarantee where federal budget is concerned,” Baker said.
You may want to think twice before opening that social media account for your agency.
In an April 4 memo, the Office of Management and Budget put agencies on notice that employees may be in violation of the Antideficiency Act by agreeing to open-ended terms of agreement for certain websites. You’ve seen them, the lists of terms and conditions that most of us bother not to read.
The good news: If you don’t have contracting authority, then your consent on the government’s behalf isn’t binding. For contracting officials, however, that’s a different story.
The Antideficiency Act prohibits agencies from spending funds that have not been appropriated or from accepting voluntary services. Here’s what the Justice Department’s Office of Legal Counsel has to say on the social media/Antideficiency Act issue:
…in certain circumstances, a Federal employee with contracting authority violates the Antideficiency Act when he or she opens an agency account for a social media application that is governed by Terms of Service (TOS) that include an open-ended indemnification clause. An Antideficiency Act violation may occur in such a situation because an agency’s agreement to an open-ended indemnification clause could result in the agency’s legal liability for an amount in excess of the agency’s appropriation.
Apparently the issue is serious enough for OMB to call on the Federal Acquisition Regulatory Council to get involved:
OMB has requested that the Federal Acquisition Regulatory Council (FAR Council) undertake a rulemaking-through the issuance ofan interim rule-to amend the Federal Acquisition Regulation (FAR) to require contracting officers to put contractors on notice that any [terms of service], [end user license agreements] or other agreement requiring the government or government-authorized end user to indemnify the contractor for damages, costs, or fees incurred is unenforceable against the government or end-user and will be read out ofthe agreement to prevent violations of the Antideficiency Act.
To be on the safe side, here’s a list of amended terms of service agreements from the General Services Administration.
After transforming information technology operations at the Veterans Affairs Department, Roger Baker has moved back to the private sector to continue serving federal customers from the outside.
Baker has been named chief strategy officer for Virginia-based Agilex Technologies, a professional IT services firm known for its work in developing IT projects in smaller, faster increments, or agile development. In this newly created position, Baker will assist federal customers with IT modernization efforts and lowering IT operations and will also play a key role in expanding the company’s federal reach. At VA, Agilex has been a major player in advancing the department’s mobile initiatives through several contract awards, including one to develop mobile applications for VA clinicians.
After a four-year tenure, Baker stepped down last month as VA’s CIO and assistant secretary for information and technology. Prior to that, Baker held executive roles at several companies, including General Dynamics Information Technology and CACI International.
Thousands of rogue Apple, Android and Windows devices found operating on the Army’s network could pose major security risks to sensitive data and Army network operations, according to a recent report.
Army commands failed to report more than 14,000 commercial smartphones and tablet computers being used across the service for research activities, data collection, mobile device pilot programs and other tasks, according to the March 26 inspector general report. Army Corps of Engineers, Engineer Research and Development Center in Vicksburg, Miss., and the U.S. Military Academy at West Point, N.Y., were among the locations using unapproved devices.
Army officials at those sites did not ensure devices met security standards to protect data, and they failed to require all smartphones and tablets be wiped clean of data if reported lost or given to a new user. A lack of clear guidance from the Army chief information officer resulted in officials forgoing training and user agreements before handing out mobile devices.
“The Army did not implement an effective cybersecurity program for commercial mobiles devices,” the report said. “If devices remain unsecure, malicious activities could disrupt Army networks and compromise sensitive DoD information.”
“The Army CIO inappropriately concluded that [commercial mobile devices] were not connecting to Army networks and storing sensitive information; and, therefore, did not” require the same security standards used for other information systems, according to the report.
The IG review was conducted between April 2012 and February 2013 and did not include Blackberry devices.
The IG office set an April 25 deadline for the Army to comment on its recommendations, which include creating clear policy for tracking and reporting mobile device purchases and ensuring mobile devices follow the same security standards as other information systems. Earlier comments provided by the director for the Army CIO Cybersecurity Directorate were deemed nonresponsive.
As of February, DoD reported more than 600,000 commercial mobile devices in use and in a pilot test phase, including 470,000 Blackberrys, 41,000 Apple devices and 8,700 Android devices. The challenge, however, is managing those devices.
Army officials are eager for DoD’s mobile device contract to be awarded this month. The management software will eventually manage, monitor and enforce security for 8 million devices. The software will allow the Army to remotely wipe data from devices and monitor what applications users download, websites they visit and data viewed or modified on their devices.
The General Services Administration has launched a full review of its key online procurement system, after discovering a security vulnerability that may have exposed users’ sensitive data.
The security flaw was reported to GSA on March 8, and the agency has since issued a software patch on the system and is investigating potential impacts to vendors registered in GSA’s System for Award Management (SAM).
“When we got the word that this might be the case, we got right on it,” GSA Acting Administrator Dan Tangherlini told reporters Tuesday following a congressional hearing. “And there is nothing that we won’t do, there’s no step we’re not going to take to ensure the safety and the security of people’s data within that system.”
Tangherlini said GSA is testing changes to the system and will continue to keep users informed. “I am incredibly concerned about it, and the good news is that everyone in the organization is incredibly concerned,” he said of the system’s known security flaw.
The vulnerability could have compromised sensitive information, including Social Security numbers, of individuals registered in the system, according to GSA.gov. Contractors that use Social Security numbers instead of taxpayer identification numbers could be at greater risk, and those individuals will receive credit monitoring.
The vision for the SAM system is to serve as a single access point for nine procurement systems, but GSA has yet to accomplish that goal. To date, the SAM system includes four of the nine systems and provides access to contractors’ business information, their certifications required to receive federal contractors and grants and which contractors have been suspended and debarred.
In 2008, GSA began consolidating its systems in a effort to reduce costs, eliminate redundancies and improve efficiency.
A March 2012 Government Accountability Office report found that “while GSA has taken some steps to reduce costs, it has not reevaluated the business case for SAM or determined whether it is the most cost-effective alternative.”
The Federal Acquisition Service and Office of the Chief Information Officer are now providing program oversight, following an internal review of all GSA operations last year. Tangherlini has also called for the development, reporting and monitoring of key metrics for the SAM project.
The House Oversight and Government Reform Committee will vote on legislation Wednesday to overhaul how agencies buy and manage information technology.
Rep. Darrell Issa, R-Calif., introduced the Federal Information Technology Acquisition Act on Monday after months of circulating the draft bill to industry groups for feedback.
Rep. Gerry Connolly, D-Va., has expressed general support for the bill, which has since undergone revisions to address concerns voiced by industry and others. (Click here to view the revisions)
Under Issa’s new plan:
- CIOs at 16 major civilian agencies, including Veterans Affairs and Agriculture department, must be presidential appointees or designees and report directly to the head of their agency. Today, most CIOs at large agencies are political appointees but not all of them report to the head of their agencies.
- The Government Accountability Office would review the effectiveness of the CIO Council, an interagency forum charged with improving federal IT practices. The council must also submit annual reports to Congress on its progress.
- CIOs would track and report the costs and savings under the administration’s data center consolidation initiative.
- The Office of Management and Budget would house a CollaborationCenter, aimed at assisting agencies with challenging IT projects. In the previous draft, agencies would have been required to consult with experts at a so-called commodity IT center for contracts exceeding $50 million. Use of newly created acquisition centers of excellence would be optional.
- OMB must publish the status of 80 percent of the government’s $80 billion IT portfolio on the Dashboard, and OMB must ensure data is current and accurate. Today, only 50 percent of the IT budget is publicly available on the Dashboard.
- CIOs would have greater flexibility to fund cloud projects through cloud service working capital funds at their agencies.
Federal officials are working to streamline the government’s security program for cloud products and services.
A critical part of the Federal Risk and Authorization Management Program (FedRAMP)mandates that cloud vendors hire a third-party organization to verify they meet federal security requirements. Today, the General Services Administration and the National Institute of Standards and Technology must first approve those third party-organizations, or 3PAOs. Then there’s the task of monitoring the performance of the 3PAOs and recommending whether to renew or revoke their status.
In a request for information to industry, GSA asked for input on how to privatize the accreditation process for 3PAOs. As FedRAMP evolves into a fully operational program within the next month or two, GSA is identifying ways to scale the program and get more cloud contractors through the FedRAMP process.
To date, there are 16 companies designated as approved 3PAOs, but that number is expected to increase. Only two vendors have completed the FedRAMP process.
GSA wants to contract with a privatized board to accredit 3PAOs, based on program standards. GSA wants industry to comment on the evaluation process for 3PAOs and how long those companies should have to comply with new accreditation standards. Those responses are due Feb. 26.
The Veterans Affairs Department’s chief information officer told employees Friday he will resign, the department confirmed.
In a message to IT staff, Baker did not say when his last day will be and offered no explanation about his resignation. The DorobekINSIDER hinted that Baker may leave as soon as March 1.
Here’s some of what Baker told employees:
I would like to thank each of you for your hard work and dedication in serving our VA customers and our Nation’s Veterans. Over the last four years, VA IT has come to be recognized as a leader in federal IT. We have improved our relationships with our IT customers; established one of the highest performing product delivery organizations in the world; achieved visibility to our networks and medical devices; focused our decision-making based on metrics and not by anecdotes; and become an IT organization that is seen as an investment for the VA rather than an expense.
Most critically, VA IT has become the backbone for the transformation of the VA into a 21stCentury organization that the Secretary has envisioned. Your ability to deliver the technology necessary to support that transformation and to reliably meet our commitments to our customers is fundamental to that transformation.
Under Baker’s watch, VA instituted a program that drastically improved the number of IT projects delivered on schedule.
Baker also has a senior role in VA’s partnership with the Defense Department to integrate their electronic health record systems. That project recently came under fire from lawmakers, who criticized the departments’ decision to revise plans to create a single electronic health record system.
Tags: Roger Baker
President Barack Obama will issue an executive order Wednesday aimed at tightening the nation’s cybersecurity.
Senior administration officials, including White House Cybersecurity Coordinator Michael Daniel and Army Gen. Keith Alexander, head of U.S. Cyber Command, will provide details on cyber policy Wednesday morning at the Commerce Department. Officials will provide an update on cybersecurity priorities for 2013, including information sharing and reducing cyber risks, Commerce announced Tuesday.
The executive order is said to include provisions that will establish voluntary cybersecurity standards for critical infrastructure sectors, such as transportation and energy, where federal regulators have authority to enforce those standards. However, the order could not provide liability protections for companies that follow those standards but are attacked.
The order is also expected to direct agencies to share cyber threat information with companies operating critical infrastructure.
Lawmakers failed last year to pass comprehensive cybersecurity legislation, but Rep. Mike Rogers, R-Mich., chairman of the House Permanent Select Committee on Intelligence, and Rep. Dutch Ruppersberger, D-Md., plan to reintroduce cyber legislation Wednesday.
The Cyber Intelligence Sharing and Protection Act (CISPA), HR 624, would allow the government and industry to voluntarily share information about malicious attacks and viruses. Companies that share information under the bill’s provisions or protect their networks would be granted legal protections if they’re subject to a cyber attack. The bill passed the House in April.
Tags: executive order